Why Is It Taking So Long to Secure Internet Routing?

 

Routing security incidents can still slip past deployed security defenses.

SHARON GOLDBERG, BOSTON UNIVERSITY

 

BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations—for example, from Boston University’s network, through larger ISPs (Internet service providers) such as Level3, Pakistan Telecom, and China Telecom, then on to residential networks such as Comcast or enterprise networks such as Bank of America.

Why Is It Taking So Long to Secure Internet Routing?

Related:

What DNS Is Not
The Network is Reliable
DNS Complexity by Paul Vixie

Certificate Transparency

 

Public, verifiable, append-only logs

BEN LAURIE, GOOGLE

 

On August 28, 2011, a mis-issued wildcard HTTPS certificate for google.com was used to conduct a man-in-the-middle attack against multiple users in Iran. The certificate had been issued by a Dutch CA (certificate authority) known as DigiNotar, a subsidiary of VASCO Data Security International. Later analysis showed that DigiNotar had been aware of the breach in its systems for more than a month—since at least July 19. It also showed that at least 531 fraudulent certificates had been issued. The final count may never be known, since DigiNotar did not have records of all the mis-issued certificates. On September 20, 2011, DigiNotar was declared bankrupt.

Certificate Transparency

 

Related:
Network Forensics
The Case Against Data Lock-in
A Decade of OS Access-control Extensibility

Securing the Tangled Web

 

Preventing script injection vulnerabilities through software design

CHRISTOPH KERN, GOOGLE

 

Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development.

 

XSS (cross-site scripting) arises when insufficient data validation, sanitization, or escaping within a Web application allow an attacker to cause browser-side execution of malicious JavaScript in the application’s context. This injected code can then do whatever the attacker wants, using the privileges of the victim. Exploitation of XSS bugs results in complete (though not necessarily persistent) compromise of the victim’s session with the vulnerable application. This article provides an overview of how XSS vulnerabilities arise and why it is so difficult to avoid them in real-world Web application software development. The article then describes software design patterns developed at Google to address the problem. A key goal of these design patterns is to confine the potential for XSS bugs to a small fraction of an application’s code base, significantly improving one’s ability to reason about the absence of this class of security bugs. In several software projects within Google, this approach has resulted in a substantial reduction in the incidence of XSS vulnerabilities.

Securing the Tangled Web

 

Related:
Fault Injection in Production
High Performance Web Sites
Vicious XSS

Node at LinkedIn: The Pursuit of Thinner, Lighter, Faster

A discussion with Kiran Prasad, Kelly Norton, and Terry Coatta

Node.js, the server-side JavaScript-based software platform used to build scalable network applications, has been all the rage among many developers for the past couple of years, although its popularity has also managed to enrage some others, who have unleashed a barrage of negative blog posts to point out its perceived shortcomings. Still, while new and untested, Node continues to win more converts.

Case StudyNode at LinkedIn: The Pursuit of Thinner, Lighter, Faster

 

Related:
Reveling in Constraints
Multitier Programming in Hop
High Performance Web Sites

Making the Web Faster with HTTP 2.0

HTTP continues to evolve

ILYA GRIGORIK

HTTP (Hypertext Transfer Protocol) is one of the most widely used application protocols on the Internet. Since its publication, RFC 2616 (HTTP 1.1) has served as a foundation for the unprecedented growth of the Internet: billions of devices of all shapes and sizes, from desktop computers to the tiny Web devices in our pockets, speak HTTP every day to deliver news, video, and millions of other Web applications we have all come to depend on in our everyday lives.

Making the Web Faster with HTTP 2.0

Related:

Improving Performance on the Internet
High Performance Web Sites
How Fast is Your Web Site?

Queue Portrait: Nicholas Zakas

Queue Portrait #4: Nicholas Zakas

In this video interview conducted by Kate Matsudaira, Nicholas Zakas discusses the current state of front end engineering and Web development.

https://vimeo.com/71119898

Front end engineering and web development used to be scoffed at by back-end engineers. However, working in the front end of a Web application is so much more than just HTML and CSS these days. Many Web applications can have a whole MVC inside the view, and understanding the client is paramount to delivering expected performance and app-like interaction. Nicholas Zakas takes us through his journey working on the client side, explains the evolution of front-end engineering, and answers questions like “when should you use jQuery?” Nicholas currently works at Box, and was previously the front-end tech lead for the Yahoo! homepage and a contributor to the YUI library. He is also a keynote speaker, and author of 4 books: Maintainable JavaScript, Professional JavaScript for Web Developers, High Performance JavaScript, and Professional Ajax.

Best Practices on the Move: Building Web Apps for Mobile Devices

Which practices should be modified or avoided altogether by developers for the mobile Web?

ALEX NICOLAOU

If it wasn’t your priority last year or the year before, it’s sure to be your priority now: bring your Web site or service to mobile devices in 2013 or suffer the consequences. Early adopters have been talking about mobile taking over since 1999—anticipating the trend by only a decade or so. Today, mobile Web traffic is dramatically on the rise, and creating a slick mobile experience is at the top of everyone’s mind. Total mobile data traffic is expected to exceed 10 exabytes per month by 2017, as shown in figure 1 (in case your mind isn’t used to working in exabytes yet, that’s 10 million terabytes per month, or almost four terabytes per second).

Best Practices on the Move: Building Web Apps for Mobile Devices

Related:

Mobile Media: Making It a Reality

Streams and Standards: Delivering Mobile Video

Mobile Devices in the Enterprise: CTO Roundtable Overview

 

How Fast is Your Web Site?

Web site performance data has never been more readily available.

PATRICK MEENAN

The overwhelming evidence indicates that a Web site’s performance (speed) correlates directly to its success, across industries and business metrics. With such a clear correlation (and even proven causation), it is important to monitor how your Web site performs. So, how fast is your Web site?

First, it is important to understand that no single number will answer that question. Even if you have defined exactly what you are trying to measure on your Web site, performance will vary widely across your user base and across the different pages on your site.

We will discuss active testing techniques that have traditionally been used, then explain newer technologies that permit the browser to report accurate timing data to the server.

How Fast is Your Web Site?

 

Related:

High Performance Web Sites

Building Scalable Web Services

Improving Performance on the Internet

 

The Evolution of Web Development for Mobile Devices

Building Web sites that perform well on mobile devices remains a challenge.

NICHOLAS C. ZAKAS

The biggest change in Web development over the past few years has been the remarkable rise of mobile computing. Mobile phones used to be extremely limited devices that were best used for making phone calls and sending short text messages. Today’s mobile phones are more powerful than the computers that took Apollo 11 to the moon, with the ability to send data to and from nearly anywhere. Combine that with 3G and 4G networks for data transfer, and now using the Internet while on the go is faster than my first Internet connection, which featured AOL and a 14.4-kbps dialup modem.

The Evolution of Web Development for Mobile Devices

 

Related:

Making the Mobile Web Faster

Mobile Media: Making It a Reality

Mobile Devices in the Enterprise: CTO Roundtable Overview